7 States, One Week: The March 2026 Privacy Legislation Wave Compliance Teams Can’t Ignore

If you blinked last week, you missed seven simultaneous state privacy law developments that could reshape your compliance program. Alabama passed a comprehensive consumer data privacy bill. Connecticut released the text of a sweeping CTDPA amendment package. Colorado unanimously advanced children’s digital protections. Utah and Virginia pushed amendment bills toward final votes. Minnesota moved on consumer health data. Oklahoma sat quietly — but not for long.

This isn’t a slow legislative drip. It’s a wave. Here’s what your compliance team needs to know about each state — and what to do about it.

Alabama: Washington Privacy Act Model Comes South

The biggest headline of the week: Alabama’s House passed a consumer data privacy bill that follows the Washington Privacy Act (WPA) model — the same framework adopted by Virginia, Colorado, Connecticut, Montana, and several others.

Key Provisions

  • Applicability threshold: 25,000 consumers (relatively low — small and mid-size businesses take note)
  • Entity-level exemptions: GLBA-regulated financial institutions and HIPAA-covered entities are exempt
  • Small business exemption: Applies if the business does not sell personal data
  • Consumer rights: Access, correction, deletion, portability, and opt-out of targeted advertising and profiling
  • Teens 13–15: Consent required for targeted advertising and sale of personal data — no opt-out signal option
  • Opt-out signals: Required recognition of universal opt-out preference signals (GPC and similar)
  • No DPIA requirement: Notably, the bill does not require data protection impact assessments — a lighter lift than some peer states
  • Enforcement: State attorney general only — no private right of action
  • 45-day right to cure: Available and does not sunset (unlike Colorado’s cure period which expired)
  • Effective date: May 1, 2027 — if enacted

Compliance Angle

Alabama’s 25,000-consumer threshold is notably lower than Florida’s 100,000 or Texas’s 100,000. Mid-size companies with any Alabama consumer base should treat this as a near-certain addition to their state privacy compliance matrix. The lack of DPIA requirements and no private right of action make Alabama relatively friendlier than California or Connecticut — but the teen consent provisions mirror the national trend toward stricter youth data protection.

Action: Add Alabama to your state privacy law tracker. If you’re already compliant with Virginia or Colorado frameworks, the lift should be minimal — the WPA model is intentionally harmonized.

Connecticut: The CTDPA Just Got a Lot More Complex

Senator James Maroney released the text of a CTDPA amendment bill that is, frankly, one of the most comprehensive privacy amendment packages any state has proposed in a single legislative cycle.

What the Amendment Covers

The bill is multi-part and addresses several distinct areas:

1. Data Broker Registration / Delete Act Provision Connecticut is moving toward a Delete Act-style framework — requiring data brokers to register with the state and honor universal deletion requests. If this passes, Connecticut joins California and Texas in mandating data broker transparency.

2. Algorithmic Pricing Disclosure Controllers using algorithmic pricing (dynamic pricing, personalized pricing) must disclose this to consumers. This is a first-of-its-kind provision in a U.S. state privacy law and has significant implications for e-commerce, financial services, and insurance.

3. Facial Recognition Technology New requirements for entities using facial recognition — likely including consent, notice, and use-limitation provisions. Details pending hearing, but the direction is clear: facial recognition is the next frontier of state-level privacy regulation.

4. Publicly Available Information Amendments to how CTDPA treats publicly available information — tightening the exemption that many organizations have relied upon to avoid compliance obligations for scraped or aggregated data.

5. Employment Profiling Protections for employees subject to algorithmic profiling — a notable expansion since most U.S. privacy laws explicitly exclude employment contexts.

6. Precise Geolocation Data Strengthened protections for precise geolocation — consistent with the national trend following the post-Dobbs heightened sensitivity around location data.

Status: Set for a committee hearing. Timeline to passage uncertain but the breadth of the bill signals Connecticut intends to maintain its position as one of the most rigorous state privacy regulators.

Compliance Angle

If you’re doing business in Connecticut and have any of the following, start your gap analysis now: dynamic/algorithmic pricing, facial recognition systems, employee monitoring algorithms, or data broker activities. The algorithmic pricing disclosure requirement alone could require significant policy and engineering changes.

Utah: Amendment Extends Coverage to Auto Manufacturers

Utah’s privacy amendment bill has passed the House and moved to Senate floor votes. The key change: the bill applies Utah’s consumer data privacy law to motor vehicle manufacturers — regardless of the standard consumer applicability thresholds.

This is a targeted but significant expansion. Auto manufacturers collect extraordinary amounts of driver data — location, driving behavior, biometrics, connected device interactions. Utah is signaling that this data deserves the same protection as any other personal information.

Compliance Angle

Auto OEMs and their connected vehicle software suppliers with Utah consumers should evaluate whether this amendment triggers new compliance obligations — particularly around data minimization and consent for telematics data.

Virginia: Geolocation Sale Prohibition Moves Forward

Virginia’s amendment bill, which prohibits controllers from selling or offering to sell precise geolocation data, passed the House but was amended and must return to the Senate for concurrence.

Virginia was one of the first states to enact a comprehensive privacy law (VCDPA, 2021). This amendment reflects the ongoing legislative evolution as states respond to real-world privacy harms — particularly the use of location data by data brokers to track individuals at sensitive locations.

Compliance Angle

If your business monetizes location data — directly or through data broker relationships — Virginia’s geolocation sale prohibition should be on your radar alongside similar provisions in Montana, Washington, and Nevada.

Oklahoma: Quiet — But Close

Oklahoma’s comprehensive consumer data privacy bill is awaiting final passage. No significant movement last week, but the legislature is expected to act before session close. Oklahoma’s bill has been tracking closely with the WPA model states.

Watch this space. If Oklahoma enacts, it will bring the total number of U.S. comprehensive state privacy laws to 20+.

Minnesota: Consumer Health Data Gets Attention

Representative Steve Elkins’s HF 2700 received committee attention in Minnesota. The bill amends the state’s existing consumer data privacy law specifically as it relates to consumer health data — mirroring the approach taken by Washington’s My Health MY Data Act, which has become the model for state-level health data protection outside HIPAA.

Why This Matters

Consumer health data is the most sensitive category of personal information and is routinely collected by apps, wearables, and wellness platforms that fall outside HIPAA’s scope. Minnesota joining Washington and Nevada in specifically regulating this category is significant.

Compliance Angle

Health-adjacent apps, wellness platforms, fertility tracking services, and any organization collecting symptom, diagnosis, or treatment-adjacent data from Minnesota consumers should monitor HF 2700 closely.

Colorado: Kids Come First — SB 51 Advances Unanimously

Colorado Senator Matt Ball’s SB 51 passed out of a Senate committee unanimously and was placed on the floor for votes. The bill is based on California’s Digital Age Assurance Act — requiring platforms to verify the age of users and implement stronger protections for minors.

What SB 51 Requires

  • Age verification or estimation for platforms likely to be accessed by minors
  • Default privacy-protective settings for verified minor users
  • Prohibition on practices that are harmful to minors (dark patterns, addictive design features)
  • Data minimization requirements for minor user data

Compliance Angle

If you operate any consumer-facing digital platform, children’s digital privacy is no longer a niche compliance concern. California, Colorado, and several other states are converging on similar frameworks. A universal approach to teen and child user data — defaulting to maximum protection — is rapidly becoming the only defensible compliance posture.

The Big Picture: What Compliance Teams Should Do Right Now

This legislative wave follows a clear pattern: states are building on the WPA model but adding category-specific overlays — for health data, location data, children’s data, algorithmic systems, and facial recognition. No two state laws are identical.

Immediate actions:

  1. Update your state privacy law inventory. Alabama (likely 2027), Oklahoma (imminent), and Connecticut’s amendment package all require assessment.

  2. Map your algorithmic systems. Connecticut’s algorithmic pricing disclosure and employment profiling provisions signal that “we use algorithms” is no longer a compliance-free statement.

  3. Audit your teen and children’s data practices. Colorado SB 51 and Alabama’s teen consent requirements are part of a national wave. Build for the strictest standard now.

  4. Review geolocation data monetization. Virginia and Utah are the latest to restrict precise geolocation — this is now a standard compliance consideration in any state with a privacy law.

  5. Assess data broker relationships. Connecticut’s Delete Act provision means any relationship with a data broker that processes Connecticut consumer data may trigger new obligations.

  6. Watch the cure periods. Alabama’s 45-day non-sunsetting cure period is a compliance lifeline. Understand which states offer cure and which don’t before you need it.

The U.S. privacy landscape is no longer “wait for federal law.” It is a permanent patchwork — and this week proved it’s still actively expanding.

Sources: LinkedIn Weekly State Privacy Law Update #7; Troutman Privacy (March 2, 2026); Connecticut Legislature; Colorado Senate; Minnesota Legislature.